Two-Factor Bypass: Real Time Phishing and How to Protect Your Company

No way someone could steal your credentials right? Just to sign in to work you have to enter a password and a PIN. No one could find those out. Well, maybe not from you answering an email, but a redirect to a similar site you were expecting and you could be handing over your credentials to a thief. Sound too weird to be true, it happens all the time. It’s so common that modern browsers need to constantly update in part to keep cyber criminals from redirecting people from the websites of official businesses. Real time phishing has become a common technique that has nearly rendered two factor authentication useless.

What is 2FA?

Two factor authentication (2FA) has been a popular approach towards validating who someone was. The idea was simple too, since password was one-factor, add another layer, factor. These factors can come in various forms. One of those factors can leverage knowledge, something the user knows such as a password, PIN, or secret key. Many companies form their 2FA often with two knowledge based factors. Another type of factor is based around, possession these are things like key cards, smartphones, or tokens. Companies with more stable finances often use these type of factors effectively. Additionally, if there is some sort of compromise a key card access can be deactivated as quickly as a password. Unfortunately, these usually only apply to physical locations, and cannot be used on the cloud or your server in an effective manner. The final type of factor often comes in the form of inherence factors. These type of factors include fingerprints, eye scans, face, voice or even keystroke behavior. Inherence factors are not used as often because they are expensive to implement.

The complexity of these layers can go beyond two factors, but for many businesses two is enough. At least it was, until hackers found out how to get around it.

Real-Time Phishing

The hackers use a technique called real-time phishing, which is a Man-in-the-Middle (MITM) type of attack. Specifically what happens during this type of attack is that users are guided through fake websites via an initial redirect. On these fake webpages they would be expecting on the site they were visiting. The pages are seamless and the users often do not know they are being guided in real time to give their credentials to a cyber criminal. The specific technical approaches are called IP spoofing, ARP spoofing, and DNS spoofing.

An example of this would be if you clicked a link to visit a bank you have an account with. You come to a screen that looks normal, but they are asking you for more information than normal it seems, just to get into your account. You follow all their steps and then login, things seem normal for the most part. The next day you login and your account has been cleared of all funds.

These situations are often really scary and can leave you feeling lost. MITM attacks are never easy to detect. Websites that are not secure can have forms vulnerable to MITM attacks. Even then some of the attacks have gotten so advanced that they are able to trick the browser into thinking their websites are safe for data inputs. On the user’s end it becomes extremely difficult to tell they’re not in the right place.

Protecting Yourself

There are a few things you can do to ensure you are protected from the MITM types of attacks, and thus real-time phishing. Practice what you can but always be vigilant when you’re online to avoid this method of credential theft. Some safety tips include:

Private WiFi

MITM attacks happen very often on public wifi networks, one of the first lines of defense is to avoid these networks as convenient as they may be. Public networks are like being in a candy store for hackers since so many people often have vulnerabilities on their mobile devices and laptops.

Pay attention to browser notifications that tell you when a site is unsecured. If your browser does not have notifications for unsecured websites, you can always look out for the green “secure” icon by the web address. If it is not there then do not trust the website. Secure communications protocols are still an effective way to remain safe from spoofing attacks while browsing. Websites that are legitimate will have HTTPS enabled on every site you visit. Always check for verified certificates.

Real time phishing is an ongoing issue for users, business owners, and web administrators. If your employees are not using HTTPS or on private wifi when accessing your network, they could expose your network to malicious actors who steal their credentials.

Isaac Kohen started his career in quantitative finance developing complex trading algorithms for a major Wall Street hedge fund. During his tenure at Wall Street and his subsequent experience securing highly sensitive data for large multi-national conglomerates, he identified the market need for a comprehensive insider threat and data loss prevention solution. And so, Teramind was born. Isaac is a well-recognized thought leader in the security industry with many of his articles published in Forbes, Inc, Tripwire, and CSO Online. Read more industry thought leadership articles on Isaac's LinkedIn.